Security Feature Changes

Oracle Solaris 11 introduces the following key security changes:

Auditing – Auditing is a now a service and is enabled by default. No reboot is required when disabling or enabling this service. The auditconfig command is used to view information about audit policy and to change audit policy. The auditing of public objects generates less noise in the audit trail. In addition, auditing of non-kernel events has no performance impact.

Cryptographic Framework – This feature now includes more algorithms, mechanisms, plug-ins, and support for Intel and SPARC T4 hardware acceleration. Also, Oracle Solaris 11 provides better alignment with the NSA Suite B cryptography.

Kerberos DTrace providers – A new DTrace USDT provider that provides probes for Kerberos messages (Protocol Data Unit) has been added. The probes are modeled after the Kerberos message types that are described in RFC4120.

loficommand changes – lofi now supports the encryption of block devices. See lofi(7D).

profilescommand changes – In Oracle Solaris 10, the command is only used to list profiles for a specific user or role, or a user's privileges for specific commands. In Oracle Solaris 11, you can also create and modify profiles in files and in LDAP by using the profiles command, See profiles(1).

sudocommand – The sudo command is new in Oracle Solaris 11. This command generates Oracle Solaris audit records when running commands. The command also drops the proc_exec basic privilege, if the sudoers command entry is tagged as NOEXEC.

If you attempt to set this obsolete parameter in the /etc/system file, the following message is displayed:

sorry, variable 'rstchown' is not defined in the 'kernel'

Network Security Features

The following network security components are supported in this release:

Internet Key Exchange (IKE) and IPsec – IKE now includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. IPsec includes AES-CCM and AES-GCM modes and is now capable of protecting network traffic for the Trusted Extensions feature of Oracle Solaris (Trusted Extensions).

IPfilter Firewall – IPfilter Firewall, which is similar to the open source IPfilter feature, is compatible, manageable, and now highly integrated with SMF. This feature enables selective access to ports, based on IP address.

Secure by Default – In Oracle Solaris 10, this feature was introduced, but was netservices limited and was also turned off by default. In Oracle Solaris 11, this feature is enabled. The Secure by Default feature is used to disable and protect several network services from attack and provides minimization of network exposure. Note that only SSH is enabled.

SSH – Support for host and user authentication by using X.509 certificates is now available.

Removed Security Features

The following security features are excluded from Oracle Solaris 11:

Automated Security Enhancement Tool (ASET) – The ASET functionality is replaced by a combination of IPfilter, which includes svc.ipfd, BART, SMF, and other security features that are supported in Oracle Solaris 11.